[redhat-lspp] IPSec Configuration doc
Paul Moore
paul.moore at hp.com
Thu Nov 16 19:56:37 UTC 2006
Joy Latten wrote:
> Klaus requested some basic steps and info for
> configuring labeled ipsec. I started and came up with
> the following which can later be used to assist those
> new to labeled ipsec and wishing to understand and use it.
> This is by no means complete. I will fill in and improve
> in time. Let me know if anything is incorrect or can be improved.
>
> Currently, I am unable to successfully configure and run labeled
> ipsec in enforcing mode on lspp 55 kernel. I'm working on ironing out
> policy complaints so we can run in enforcing mode. Has anyone else
> tried this?
Thanks for sending this out.
Based on your instructions I'm trying to setup a simple, manually keyed labeled
IPsec connection between two machines running the lspp.55 kernel; both are using
the MLS policy in permissive mode. Unfortunately, I can't seem to get it to
work; I assume I am doing something wrong but it is not obvious to me ...
* IP addresses
- sifl: 10.0.0.1
- olly: 10.0.0.2
* setkey commands
- sifl
spdadd 10.0.0.1 10.0.0.2 any
-ctx 1 1 "system_u:object_r:unlabeled_t:s3:c1.c5"
-P out ipsec esp/transport//require;
spdadd 10.0.0.2 10.0.0.1 any
-ctx 1 1 "system_u:object_r:unlabeled_t:s3:c1.c5"
-P in ipsec esp/transport//require;
add 10.0.0.1 10.0.0.2 esp 84001 -m transport
-ctx 1 1 "system_u:object_r:unlabeled_t:s3:c1.c5"
-E 3des-cbc "06183223c23a21e8b36c566b"
-A hmac-md5 "IPSETEST89ABCDEF";
add 10.0.0.2 10.0.0.1 esp 84002 -m transport
-ctx 1 1 "system_u:object_r:unlabeled_t:s3:c1.c5"
-E 3des-cbc "06183223c23a21e8b36c566b"
-A hmac-md5 "IPSETEST89ABCDEF";
- olly
spdadd 10.0.0.2 10.0.0.1 any
-ctx 1 1 "system_u:object_r:unlabeled_t:s3:c1.c5"
-P out ipsec esp/transport//require;
spdadd 10.0.0.1 10.0.0.2 any
-ctx 1 1 "system_u:object_r:unlabeled_t:s3:c1.c5"
-P in ipsec esp/transport//require;
add 10.0.0.1 10.0.0.2 esp 84001 -m transport
-ctx 1 1 "system_u:object_r:unlabeled_t:s3:c1.c5"
-E 3des-cbc "06183223c23a21e8b36c566b"
-A hmac-md5 "IPSETEST89ABCDEF";
add 10.0.0.2 10.0.0.1 esp 84002 -m transport
-ctx 1 1 "system_u:object_r:unlabeled_t:s3:c1.c5"
-E 3des-cbc "06183223c23a21e8b36c566b"
-A hmac-md5 "IPSETEST89ABCDEF";
Any help would be greatly appreciated.
--
paul moore
linux security @ hp
More information about the redhat-lspp
mailing list